‘Huge loopholes’ in new NSA policy?

The Obama administration is looking to rein in the controversial practice of spies exploiting software glitches, but the secrecy surrounding the reforms is getting blowback from tech companies and privacy activists.

{mosads}The new policy, unveiled in response to questions about the National Security Agency’s (NSA) knowledge of the massive “Heartbleed” software glitch, directs agents to tell tech companies about discovered bugs so they can be fixed instead of keeping mum and using them for their own purposes.

Activists said they were unaware of the administration’s new stance before a National Security Council spokeswoman’s statement on Friday. They said the administration’s policy appears to be riddled with loopholes and won’t make the Internet any safer.

“This is definitely a policy that came out of the shadows, and the fact that there are these huge loopholes in it reflects the fact that it was shaped by people on the intelligence and law enforcement side,” said Christopher Soghoian, the principal technologist at the American Civil Liberties Union.

The NSA routinely seeks and buys information about bugs in common software code both to protect government systems from possible flaws and to exploit them to collect information. According to reports, the mysterious Stuxnet attack on an Iranian nuclear facility exploited four of the vulnerabilities.

The agency’s use of the bugs has come under fire, with technology activists alleging that it undermines security online.

“If cybersecurity is such a threat, if we’re so scared about the Chinese government breaking into our companies’ computers and stealing secrets, why are we not fixing the vulnerabilities?” Soghoian said. “It totally undermines everything the government has said about what they’re doing about cybersecurity. They’re making things worse.”

The glitches are known as “zero days,” because developers have zero days to fix them before they can be exploited.

A White House review group late last year suggested that the administration make sure detected flaws are “quickly blocked, so that the underlying vulnerabilities are patched on U.S. Government and other networks.”

“In rare instances, U.S. policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments,” the group added.

Since then, the issue had largely been sidelined as debates raged over other contested aspects of the NSA’s surveillance, especially its bulk collection of records about people’s phone calls. But a Bloomberg report accusing the agency of exploiting the Heartbleed bug in a popular encryption technology brought the issue back to the spotlight late last week.

In denying the report on Friday, National Security Council spokeswoman Caitlin Hayden said that the administration has “reinvigorated” a process of alerting companies to those flaws.

“Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities,” she said.

But the lack of any formal policy paper or memorandum caused civil liberties advocates to worry that that exception in the policy could be too broad. Unlike other administration efforts, such as curbing the government’s collection of people’s phone records, activists weren’t consulted on the new policy, they said.

“It doesn’t seem to change it a whole lot,” said Joseph Hall, chief technologist at the Center for Democracy and Technology. “The bias toward disclosure is great, but that loophole is such that it’s hard for me, without a primary document like a presidential directive or an executive order or something to outline for anyone … how this is going to be any different from what it is now.”

“That seems to allow stockpiling of stuff as long as someone makes the trivial declaration that there’s a clear national security or law enforcement need,” he added.

Technology companies were also wary of the change in course.

“Broad exceptions for national security and law enforcement use are too likely to be so wide as to effectively swallow the rule, and experience has sadly demonstrated discretionary limits in this area are really no limits at all,” said Ed Black, the president and CEO of the Computer and Communications Industry Association, in a statement. The trade group represents Google, Facebook and more than a dozen other tech and communications companies. 

“One of the major purposes of the NSA is to work to protect the computers of the U.S. government and the U.S. people,” he added. “We hope that the prime focus of the government will be to work with the private sector to fix problems.”